{"id":13493096,"url":"https://github.com/Sh1Yo/x8","last_synced_at":"2025-03-28T11:31:42.940Z","repository":{"id":37945610,"uuid":"362146794","full_name":"Sh1Yo/x8","owner":"Sh1Yo","description":"Hidden parameters discovery suite","archived":false,"fork":false,"pushed_at":"2024-09-08T10:29:37.000Z","size":449,"stargazers_count":1798,"open_issues_count":21,"forks_count":161,"subscribers_count":27,"default_branch":"main","last_synced_at":"2025-03-19T07:04:44.980Z","etag":null,"topics":["bugbounty","content-discovery","recon","rust","security","web"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Sh1Yo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-04-27T14:43:22.000Z","updated_at":"2025-03-16T12:15:58.000Z","dependencies_parsed_at":"2022-07-12T17:04:05.232Z","dependency_job_id":"9e9a1d76-747a-492a-8e56-74716164bf5a","html_url":"https://github.com/Sh1Yo/x8","commit_stats":{"total_commits":290,"total_committers":4,"mean_commits":72.5,"dds":0.03448275862068961,"last_synced_commit":"c43f9df824971cbb71b0e188cb881633c728e053"},"previous_names":[],"tags_count":31,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sh1Yo%2Fx8","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sh1Yo%2Fx8/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sh1Yo%2Fx8/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sh1Yo%2Fx8/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Sh1Yo","download_url":"https://codeload.github.com/Sh1Yo/x8/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246020987,"owners_count":20710864,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bugbounty","content-discovery","recon","rust","security","web"],"created_at":"2024-07-31T19:01:12.154Z","updated_at":"2025-03-28T11:31:42.654Z","avatar_url":"https://github.com/Sh1Yo.png","language":"Rust","readme":"[![Twitter](https://img.shields.io/twitter/follow/sh1yo_.svg?logo=twitter)](https://twitter.com/sh1yo_)\n![stars](https://img.shields.io/github/stars/Sh1Yo/x8)\n[![issues](https://img.shields.io/github/issues/sh1yo/x8?color=%20%237fb3d5%20)](https://github.com/sh1yo/x8/issues)\n\n[![Latest Version](https://img.shields.io/github/release/sh1yo/x8.svg?style=flat-square)](https://github.com/sh1yo/x8/releases)\n[![crates.io](https://img.shields.io/crates/v/x8.svg)](https://crates.io/crates/x8)\n[![crates_downloads](https://img.shields.io/crates/d/x8?logo=rust)](https://crates.io/crates/x8)\n[![github_downloads](https://img.shields.io/github/downloads/sh1yo/x8/total?label=downloads\u0026logo=github)](https://github.com/sh1yo/x8/releases)\n\n\u003c!-- ![lang](https://img.shields.io/github/languages/top/sh1yo/x8) --\u003e\n\n\u003ch1 align=\"center\"\u003ex8\u003c/h1\u003e\n\n\u003ch3 align=\"center\"\u003eHidden parameters discovery suite written in Rust.\u003c/h3\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg src=https://user-images.githubusercontent.com/54232788/212553519-f4cdfb1c-f5f2-4238-a6a8-e9393b98b529.gif\u003e\u003c/p\u003e\n\nThe tool aids in identifying hidden parameters that could potentially be vulnerable or reveal interesting functionality that may be missed by other testers. Its high accuracy is achieved through line-by-line comparison of pages, comparison of response codes, and reflections.\n\n# Documentation\n\nThe documentation that explains every feature can be accessed at [https://sh1yo.art/x8docs/](https://sh1yo.art/x8docs/). The source of the documentation is located at [/docs.md](docs.md).\n\n# Tree\n\n- [Features](#features)\n- [Examples](#examples)\n- [Test site](#test-site)\n- [Usage](#usage)\n- [Wordlists](#wordlists)\n- [Burp Suite integration](#burp-suite-integration)\n- [Installation](#installation)\n\n# Features\n\n- Fast.\n- Offers flexible request configuration through the use of templates and injection points.\n- Highly scalable, capable of checking thousands of URLs per run.\n- Provides higher accuracy compared to similar tools, especially in difficult cases.\n- Capable of discovering parameters with non-random values, such as admin=true.\n- Highly configurable with a wide range of customizable options.\n- Achieves almost raw requests through external library modification.\n\n# Examples\n\n#### Check parameters in query\n\n```bash\nx8 -u \"https://example.com/\" -w \u003cwordlist\u003e\n```\n\nWith default parameters:\n```bash\nx8 -u \"https://example.com/?something=1\" -w \u003cwordlist\u003e\n```\n\n`/?something=1` equals to `/?something=1\u0026%s`\n\n#### Send parameters via body\n\n```bash\nx8 -u \"https://example.com/\" -X POST -w \u003cwordlist\u003e\n```\n\nOr with a custom body:\n```bash\nx8 -u \"https://example.com/\" -X POST -b '{\"x\":{%s}}' -w \u003cwordlist\u003e\n```\n`%s` will be replaced with different parameters like `{\"x\":{\"a\":\"b3a1a\", \"b\":\"ce03a\", ...}}`\n\n#### Check multiple urls in paralell\n\n```bash\nx8 -u \"https://example.com/\" \"https://4rt.one/\" -W0\n```\n\n#### Custom template\n\n```bash\nx8 -u \"https://example.com/\" --param-template \"user[%k]=%v\" -w \u003cwordlist\u003e\n```\n\nNow every request would look like `/?user[a]=hg2s4\u0026user[b]=a34fa\u0026...`\n\n#### Percent encoding\n\nSometimes parameters should be encoded. It is also possible:\n\n```bash\nx8 -u \"https://example.com/?path=..%2faction.php%3f%s%23\" --encode -w \u003cwordlist\u003e\n```\n\n```http\nGET /?path=..%2faction.php%3fWTDa8%3Da7UOS%26rTIDA%3DexMFp...%23 HTTP/1.1\nHost: example.com\n```\n\n#### Search for headers\n\n```bash\nx8 -u \"https://example.com\" --headers -w \u003cwordlist\u003e\n```\n\n#### Search for header values\n\nYou can also target single headers:\n\n```bash\nx8 -u \"https://example.com\" --headers -H \"Cookie: %s\" -w \u003cwordlist\u003e\n```\n\n# Test site\n\nYou can check the tool and compare it with other tools on the following urls:\n\n`https://4rt.one/level1` (GET)\n\u003c!-- `https://4rt.one/level2` (POST JSON) --\u003e\n`https://4rt.one/level3` (GET)\n\n# Usage\n\n```\nUSAGE:\n x8 [FLAGS] [OPTIONS]\n\nFLAGS:\n --append Append to the output file instead of overwriting it.\n -B Equal to -x http://localhost:8080\n --check-binary Check the body of responses with binary content types\n --disable-additional-checks Private\n --disable-colors\n --disable-custom-parameters Do not automatically check parameters like admin=true\n --disable-progress-bar\n --disable-trustdns Can solve some dns related problems\n --encode Encodes query or body before making a request, i.e \u0026 -\u003e %26, = -\u003e %3D\n List of chars to encode: \", `, , \u003c, \u003e, \u0026, #, ;, /, =, %\n -L, --follow-redirects Follow redirections\n --force Force searching for parameters on pages \u003e 25MB. Remove an error in case there's 1\n worker with --one-worker-per-host option.\n -h, --help Prints help information\n --headers Switch to header discovery mode.\n NOTE Content-Length and Host headers are automatically removed from the list\n --invert By default, parameters are sent within the body only in case PUT or POST methods\n are used.\n It's possible to overwrite this behavior by specifying the option\n --mimic-browser Add default headers that browsers usually set.\n --one-worker-per-host Multiple urls with the same host will be checked one after another,\n while urls with different hosts - are in parallel.\n Doesn't increase the number of workers\n --reflected-only Disable page comparison and search for reflected parameters only.\n --remove-empty Skip writing to file outputs of url:method pairs without found parameters\n --replay-once If a replay proxy is specified, send all found parameters within one request.\n --strict Only report parameters that have changed the different parts of a page\n --test Prints request and response\n -V, --version Prints version information\n --verify Verify found parameters.\n\nOPTIONS:\n -b, --body \u003cbody\u003e Example: --body '{\"x\":{%s}}'\n Available variables: {{random}}\n -c \u003cconcurrency\u003e The number of concurrent requests per url [default: 1]\n --custom-parameters \u003ccustom-parameters\u003e\n Check these parameters with non-random values like true/false yes/no\n (default is \"admin bot captcha debug disable encryption env show sso test waf\")\n --custom-values \u003ccustom-values\u003e\n Values for custom parameters (default is \"1 0 false off null true yes no\")\n\n -t, --data-type \u003cdata-type\u003e\n Available: urlencode, json\n Can be detected automatically if --body is specified (default is \"urlencode\")\n -d, --delay \u003cDelay between requests in milliseconds\u003e [default: 0]\n -H \u003cheaders\u003e Example: -H 'one:one' 'two:two'\n --http \u003chttp\u003e HTTP version. Supported versions: --http 1.1, --http 2\n -j, --joiner \u003cjoiner\u003e\n How to join parameter templates. Example: --joiner '\u0026'\n Default: urlencoded - '\u0026', json - ', ', header values - '; '\n --learn-requests \u003clearn-requests-count\u003e Set the custom number of learn requests. [default: 9]\n -m, --max \u003cmax\u003e\n Change the maximum number of parameters per request.\n (default is \u003c= 256 for query, 64 for headers and 512 for body)\n -X, --method \u003cmethods\u003e Multiple values are supported: -X GET POST\n -o, --output \u003cfile\u003e\n -O, --output-format \u003coutput-format\u003e standart, json, url, request [default: standart]\n -P, --param-template \u003cparameter-template\u003e\n %k - key, %v - value. Example: --param-template 'user[%k]=%v'\n Default: urlencoded - \u003c%k=%v\u003e, json - \u003c\"%k\":%v\u003e, headers - \u003c%k=%v\u003e\n -p, --port \u003cport\u003e Port to use with request file\n --progress-bar-len \u003cprogress-bar-len\u003e [default: 26]\n --proto \u003cproto\u003e Protocol to use with request file (default is \"https\")\n -x, --proxy \u003cproxy\u003e\n --recursion-depth \u003crecursion-depth\u003e\n Check the same list of parameters with the found parameters until there are no new parameters to be found.\n Conflicts with --verify for now.\n --replay-proxy \u003creplay-proxy\u003e\n Request target with every found parameter via the replay proxy at the end.\n\n -r, --request \u003crequest\u003e The file with the raw http request\n --save-responses \u003csave-responses\u003e\n Save request and response to a directory when a parameter is found\n\n --split-by \u003csplit-by\u003e\n Split the request into lines by the provided sequence. By default splits by \\r, \\n and \\r\\n\n\n --timeout \u003ctimeout\u003e HTTP request timeout in seconds. [default: 15]\n -u, --url \u003curl\u003e\n You can add a custom injection point with %s.\n Multiple urls and filenames are supported:\n -u filename.txt\n -u https://url1 http://url2\n -v, --verbose \u003cverbose\u003e Verbose level 0/1/2 [default: 1]\n -w, --wordlist \u003cwordlist\u003e\n The file with parameters (leave empty to read from stdin) [default: ]\n\n -W, --workers \u003cworkers\u003e\n The number of concurrent url checks.\n Use -W0 to run everything in parallel [default: 1]\n```\n\n# Wordlists\nParameters:\n- [samlists](https://github.com/the-xentropy/samlists)\n- [arjun](https://github.com/s0md3v/Arjun/tree/master/arjun/db)\n\nHeaders:\n- [Param Miner](https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content/BurpSuite-ParamMiner)\n\n# Burp Suite integration\n\nThe burpsuite integration is done via the [send to](https://portswigger.net/bappstore/f089f1ad056545489139cb9f32900f8e) extension.\n\n### Setting up\n\n1. Launch Burp Suite and navigate to the 'Extender' tab.\n2. Locate and install the 'Custom Send To' extension from the BApp Store.\n3. Open the 'Send to' tab and click on the 'Add' button to configure the extension.\n\nGive a name to the entry and insert the following line into the command:\n\n```\n/path/to/x8 --progress-bar-len 20 -c 3 -r %R -w /path/to/wordlist --proto %T --port %P\n```\n\nYou can also add your frequently used arguments like `--output-format`,`--replay-proxy`, `--recursion-depth`, ..\n\n**NOTE** if the progress bar doesn't work properly --- try to reducing the value of `--progress-bar-len`.\n\nSwitch from Run in background to Run in terminal.\n\n![image](https://user-images.githubusercontent.com/54232788/201471567-2a388157-e2f1-4d68-aebe-5ecc3c1090ee.png)\n\nIf you encounter issues with font rendering in the terminal, you can adjust the `xterm` options in **Send to Miscellaneous Options**. Simply replace the existing content with `xterm -rv -fa 'Monospace' -fs 10 -hold -e %C`, or substitute `xterm` with your preferred terminal emulator.\n\nNow you can go to the proxy/repeater tab and send the request to the tool:\n\n![image](https://user-images.githubusercontent.com/54232788/201518132-87fd0c40-5877-4f46-a036-590967759b3f.png)\n\nIn the next dialog, you can modify the command and execute it in a new terminal window.\n\n![image](https://user-images.githubusercontent.com/54232788/201518230-3d7959c4-3530-497d-9aca-b20de80321cb.png)\n\nAfter executing the command, a new terminal window will appear, displaying the running tool.\n\n![image](https://user-images.githubusercontent.com/54232788/224473570-cabbd4ee-8c15-4a09-bc2a-c660c534a429.jpg)\n\n# Installation\n\n**NOTE**: Starting with v4.0.0, installing via `cargo install` uses the `crate` branch instead of `main`. This branch includes the original `reqwest` library that performs HTTP normalizations and prevents sending invalid requests. If you want to use the modified reqwest version without these limitations, I recommend installing via the `Releases` page or building the sources.\n\n- Docker\n - installation\n ```bash\n git clone https://github.com/Sh1Yo/x8\n cd x8\n docker build -t x8 .\n ```\n - [usage](https://github.com/Sh1Yo/x8/pull/29)\n\n- Linux\n - from releases\n - from blackarch repositories (repositories should be installed)\n ```bash\n # pacman -Sy x8\n ```\n - from source code (rust should be installed)\n ```bash\n git clone https://github.com/sh1yo/x8\n cd x8\n cargo build --release\n # move the binary to $PATH so you can use it without specifying the full path\n cp ./target/release/x8 /usr/local/bin \n # if it says that /usr/local/bin doesn't exists you can try\n # sudo cp ./target/release/x8 /usr/bin\n ```\n - via cargo install\n ```bash\n cargo install x8\n ```\n- Mac\n - from source code (rust should be installed)\n ```bash\n git clone https://github.com/sh1yo/x8\n cd x8\n cargo build --release\n # move the binary to $PATH so you can use it without specifying the full path\n cp ./target/release/x8 /usr/local/bin \n ```\n - via cargo install\n ```bash\n cargo install x8\n ```\n\n- Windows\n - from releases\n","funding_links":[],"categories":["Rust","Recon","Weapons","信息搜集","Projects","Web"],"sub_categories":["Parameters","Tools"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSh1Yo%2Fx8","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FSh1Yo%2Fx8","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSh1Yo%2Fx8/lists"}